Add support for unstrusted certificates (#128)

README.md

@@ -38,6 +38,14 @@ Cleanuperr supports both qBittorrent's built-in exclusion features and its own b
 
 Docs can be found [here](https://flmorg.github.io/cleanuperr/).
 
+# <img width="24px" src="./Logo/256.png" alt="Cleanuperr"> Cleanuperr <svg width="14px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512"><!--!Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free Copyright 2025 Fonticons, Inc.--><path d="M376.6 84.5c11.3-13.6 9.5-33.8-4.1-45.1s-33.8-9.5-45.1 4.1L192 206 56.6 43.5C45.3 29.9 25.1 28.1 11.5 39.4S-3.9 70.9 7.4 84.5L150.3 256 7.4 427.5c-11.3 13.6-9.5 33.8 4.1 45.1s33.8 9.5 45.1-4.1L192 306 327.4 468.5c11.3 13.6 31.5 15.4 45.1 4.1s15.4-31.5 4.1-45.1L233.7 256 376.6 84.5z"/></svg> Huntarr <img width="24px" src="https://github.com/plexguide/Huntarr.io/blob/main/frontend/static/logo/256.png?raw=true" alt Huntarr></img>
+
+Think of **Cleanuperr** as the janitor of your server; it keeps your download queue spotless, removes clutter, and blocks malicious files. Now imagine combining that with **Huntarr**, the compulsive librarian who finds missing and upgradable media to complete your collection
+
+While **Huntarr** fills in the blanks and improves what you already have, **Cleanuperr** makes sure that only clean downloads get through. If you're aiming for a reliable and self-sufficient setup, **Cleanuperr** and **Huntarr** will take your automated media stack to another level.
+
+<span style="font-size:24px"> ➡️ [**Huntarr**](https://github.com/plexguide/Huntarr.io) ![Huntarr](https://img.shields.io/github/stars/plexguide/Huntarr.io?style=social)</span>
+
 # Credits
 Special thanks for inspiration go to:
 - [ThijmenGThN/swaparr](https://github.com/ThijmenGThN/swaparr)

code/Common/Configuration/General/HttpConfig.cs

@@ -1,4 +1,5 @@
-using Common.Exceptions;
+using Common.Enums;
+using Common.Exceptions;
 using Microsoft.Extensions.Configuration;
 
 namespace Common.Configuration.General;
@@ -10,6 +11,9 @@ public sealed record HttpConfig : IConfig
     
     [ConfigurationKeyName("HTTP_TIMEOUT")]
     public ushort Timeout { get; init; } = 100;
+    
+    [ConfigurationKeyName("HTTP_VALIDATE_CERT")]
+    public CertificateValidationType CertificateValidation { get; init; } = CertificateValidationType.Enabled;
 
     public void Validate()
     {

code/Common/Enums/CertificateValidationType.cs

@@ -0,0 +1,8 @@
+namespace Common.Enums;
+
+public enum CertificateValidationType
+{
+    Enabled = 0,
+    DisabledForLocalAddresses = 1,
+    Disabled = 2
+}

code/Executable/DependencyInjection/MainDI.cs

@@ -1,10 +1,12 @@
 using System.Net;
 using Common.Configuration.General;
 using Common.Helpers;
+using Infrastructure.Services;
 using Infrastructure.Verticals.DownloadClient.Deluge;
 using Infrastructure.Verticals.Notifications.Consumers;
 using Infrastructure.Verticals.Notifications.Models;
 using MassTransit;
+using Microsoft.Extensions.Options;
 using Polly;
 using Polly.Extensions.Http;
 
@@ -62,6 +64,15 @@ public static class MainDI
             {
                 x.Timeout = TimeSpan.FromSeconds(config.Timeout);
             })
+            .ConfigurePrimaryHttpMessageHandler(provider =>
+            {
+                CertificateValidationService service = provider.GetRequiredService<CertificateValidationService>();
+                
+                return new HttpClientHandler
+                {
+                    ServerCertificateCustomValidationCallback = service.ShouldByPassValidationError
+                };
+            })
             .AddRetryPolicyHandler(config);
 
         // add Deluge HttpClient

code/Executable/DependencyInjection/ServicesDI.cs

@@ -3,6 +3,7 @@ using Common.Configuration.DownloadCleaner;
 using Common.Configuration.QueueCleaner;
 using Infrastructure.Interceptors;
 using Infrastructure.Providers;
+using Infrastructure.Services;
 using Infrastructure.Verticals.Arr;
 using Infrastructure.Verticals.ContentBlocker;
 using Infrastructure.Verticals.DownloadCleaner;
@@ -21,6 +22,7 @@ public static class ServicesDI
     public static IServiceCollection AddServices(this IServiceCollection services) =>
         services
             .AddTransient<IDryRunInterceptor, DryRunInterceptor>()
+            .AddTransient<CertificateValidationService>()
             .AddTransient<SonarrClient>()
             .AddTransient<RadarrClient>()
             .AddTransient<LidarrClient>()

code/Executable/appsettings.Development.json

@@ -1,7 +1,8 @@
 {
   "DRY_RUN": true,
   "HTTP_MAX_RETRIES": 0,
-  "HTTP_TIMEOUT": 10,
+  "HTTP_TIMEOUT": 100,
+  "HTTP_VALIDATE_CERT": "enabled",
   "Logging": {
     "LogLevel": "Verbose",
     "Enhanced": true,

code/Executable/appsettings.json

@@ -2,6 +2,7 @@
   "DRY_RUN": false,
   "HTTP_MAX_RETRIES": 0,
   "HTTP_TIMEOUT": 100,
+  "HTTP_VALIDATE_CERT": "enabled",
   "Logging": {
     "LogLevel": "Information",
     "Enhanced": true,

code/Infrastructure/Extensions/IpAddressExtensions.cs

@@ -0,0 +1,55 @@
+using System.Net;
+using System.Net.Sockets;
+
+namespace Infrastructure.Extensions;
+
+public static class IpAddressExtensions
+{
+    public static bool IsLocalAddress(this IPAddress ipAddress)
+    {
+        // Map back to IPv4 if mapped to IPv6, for example "::ffff:1.2.3.4" to "1.2.3.4".
+        if (ipAddress.IsIPv4MappedToIPv6)
+        {
+            ipAddress = ipAddress.MapToIPv4();
+        }
+
+        // Checks loopback ranges for both IPv4 and IPv6.
+        if (IPAddress.IsLoopback(ipAddress))
+        {
+            return true;
+        }
+
+        // IPv4
+        if (ipAddress.AddressFamily == AddressFamily.InterNetwork)
+        {
+            return IsLocalIPv4(ipAddress.GetAddressBytes());
+        }
+
+        // IPv6
+        if (ipAddress.AddressFamily == AddressFamily.InterNetworkV6)
+        {
+            return ipAddress.IsIPv6LinkLocal ||
+                   ipAddress.IsIPv6UniqueLocal ||
+                   ipAddress.IsIPv6SiteLocal;
+        }
+
+        return false;
+    }
+
+    private static bool IsLocalIPv4(byte[] ipv4Bytes)
+    {
+        // Link local (no IP assigned by DHCP): 169.254.0.0 to 169.254.255.255 (169.254.0.0/16)
+        bool IsLinkLocal() => ipv4Bytes[0] == 169 && ipv4Bytes[1] == 254;
+
+        // Class A private range: 10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
+        bool IsClassA() => ipv4Bytes[0] == 10;
+
+        // Class B private range: 172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
+        bool IsClassB() => ipv4Bytes[0] == 172 && ipv4Bytes[1] >= 16 && ipv4Bytes[1] <= 31;
+
+        // Class C private range: 192.168.0.0 – 192.168.255.255 (192.168.0.0/16)
+        bool IsClassC() => ipv4Bytes[0] == 192 && ipv4Bytes[1] == 168;
+
+        return IsLinkLocal() || IsClassA() || IsClassC() || IsClassB();
+    }
+}

code/Infrastructure/Services/CertificateValidationService.cs

@@ -0,0 +1,86 @@
+using System.Net;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
+using Common.Configuration.General;
+using Common.Enums;
+using Infrastructure.Extensions;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace Infrastructure.Services;
+
+public class CertificateValidationService
+{
+    private readonly ILogger<CertificateValidationService> _logger;
+    private readonly HttpConfig _config;
+
+    public CertificateValidationService(ILogger<CertificateValidationService> logger, IOptions<HttpConfig> config)
+    {
+        _logger = logger;
+        _config = config.Value;
+    }
+
+    public bool ShouldByPassValidationError(object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors sslPolicyErrors)
+    {
+        var targetHostName = string.Empty;
+
+        if (sender is not SslStream && sender is not string)
+        {
+            return true;
+        }
+
+        if (sender is SslStream request)
+        {
+            targetHostName = request.TargetHostName;
+        }
+
+        // Mailkit passes host in sender as string
+        if (sender is string stringHost)
+        {
+            targetHostName = stringHost;
+        }
+
+        if (certificate is X509Certificate2 cert2 && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
+        {
+            _logger.LogError(
+                $"https://{targetHostName} uses the obsolete md5 hash in its https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.");
+        }
+
+        if (sslPolicyErrors == SslPolicyErrors.None)
+        {
+            return true;
+        }
+
+        if (targetHostName is "localhost" or "127.0.0.1")
+        {
+            return true;
+        }
+
+        var ipAddresses = GetIpAddresses(targetHostName);
+
+        if (_config.CertificateValidation == CertificateValidationType.Disabled)
+        {
+            return true;
+        }
+
+        if (_config.CertificateValidation == CertificateValidationType.DisabledForLocalAddresses &&
+            ipAddresses.All(i => i.IsLocalAddress()))
+        {
+            return true;
+        }
+
+        _logger.LogError($"certificate validation for {targetHostName} failed. {sslPolicyErrors}");
+
+        return false;
+    }
+
+    private static IPAddress[] GetIpAddresses(string host)
+    {
+        if (IPAddress.TryParse(host, out var ipAddress))
+        {
+            return [ipAddress];
+        }
+
+        return Dns.GetHostEntry(host).AddressList;
+    }
+}

docs/src/components/configuration/GeneralSettings.tsx

@@ -81,6 +81,17 @@ const settings: EnvVarProps[] = [
     type: "positive integer number",
     defaultValue: "100",
     required: false,
+  },
+  {
+    name: "HTTP_VALIDATE_CERT",
+    description: [
+      "Controls whether to validate SSL certificates for HTTPS connections.",
+      "Set to `Disabled` to ignore SSL certificate errors."
+    ],
+    type: "text",
+    defaultValue: "Enabled",
+    required: false,
+    acceptedValues: ["Enabled", "DisabledForLocalAddresses", "Disabled"],
   }
 ];